Wednesday, February 03, 2016

2014-15 Annual Report: The watchdog shows his teeth

As I noted here, there is a lot of interesting news in the CSE Commissioner's 2014-15 Annual Report, which was finally made public on 28 January 2016. (The Commissioner's reports are normally tabled in the June to August timeframe; the previous record for tardiness was the 2003-04 report, which was released on 8 October 2004. It is evident that the Harper government did not want the information that was in the report to be available to Canadians during an election campaign.)

The big news in the report was that, for the first time, the CSE Commissioner was holding out the possibility that CSE might be found in non-compliance with the law. The final answer to that question was left open in the report itself, which stated that the Commissioner was still examining the legal implications of the issue. By the time the report was finally tabled, however, Commissioner Plouffe had completed his review of the issue and concluded that CSE had failed to exercise due diligence and thus had violated the law. (For further details, see here.)

I see this decision as a very positive development. As I argued here, it was beginning to look as though CSE Commissioners would never find CSE in breach of the law for anything—or at least nothing short of admitted, unrepentant, and on-going illegality of the most brazen kind.

The danger of always letting CSE off the hook in the kinds of cases that actually do come up was two-fold: First, Canadians might come to see the Commissioner's annual assurances as largely meaningless, undermining one of the primary purposes of having the office. Second, CSE might come to see prevention of compliance lapses as relatively unimportant, since problems subsequently identified could always be fixed at some later time without consequences. By demonstrating that consequences are possible, at least in cases where CSE failed to exercise due diligence, the agency has been reminded that legal compliance has to be first on its priorities list at all times: it can never be left as an afterthought.

[Update 6 February 2016: I should probably add here that the only consequence that CSE has suffered to date (as far as we know) is public shaming, which is all that CSE Commissioners have the power to do. Whether the government will actually hold anyone in the agency to account in any more concrete way remains to be seen. Andrew Mitrovica discusses the parallel question of accountability at CSIS here: "Ex-spy watchdog asks: Why isn’t CSIS coming clean on tax data breach?" iPolitics, 5 February 2016.

Update 11 February 2016: This Globe and Mail article did report that "Prosecutors decided not to lay charges after being assured by Mr. Plouffe it was unlikely that any Canadian identities were actually compromised." Ruling out criminal proceedings does not prevent other forms of disciplinary action that might be appropriate in this case, however. Will any such steps be taken?]

Another benefit of finally wielding the hammer of compliance judgement is that the level of attention paid to the Commissioner's recommendations at the political/ministerial level cannot fail to be dramatically elevated. Maybe now—finally—going on fifteen years after the mandate of the Communications Security Establishment was enacted into law, we will see action on the clarifying amendments that successive Commissioners have sought from the beginning. (More on potential amendments below.)

Last year I lamented the continuing failure of successive Commissioners to "pick up the hammer"; it's good to see a more Thor-like Commissioner in action.

The big news in the 2013-14 report was that the Commissioner had finally been permitted to specify the number of "private communications" (communications with at least one end in Canada) used in intelligence reports or retained by CSE for possible future use during the agency's Mandate A (foreign intelligence) operations. That year the number was 66; this year the number is a mere 16.

Sixteen is a very small number, and it is useful that the CSE Commissioner is able to report it.

But, as I noted last year, it does not represent anywhere near a complete accounting of the Canadian communications intercepted or otherwise acquired and examined by CSE during the course of the year. It does not include communications of Canadians that do not fall into the definition of private communications, such as calls involving Canadians in which neither communicant is physically in Canada at the time. It does not include private communications intercepted and forwarded to CSE by Canada's SIGINT allies. It does not include private communications obtained during CSE's Mandate B (cyber security) operations. (This year's report has some interesting comments on those intercepts, however.) It also does not include private communications obtained during CSE's Mandate C (support to federal law enforcement and security agencies) operations. Finally, most importantly, it does not include the much larger number of Canadian communications intercepted or otherwise acquired by CSE that ultimately are neither used nor retained by the agency, but are simply assessed and deleted. How much larger that number is (and the scale of the even larger number of communications that receive preliminary monitoring of some sort but are never sent to an analyst to be "recognized" as private communications because automatic filters decide that they are not likely to be of interest) has never been revealed.

This is not to say there's a secret program to monitor everything Canadians say and do hiding under that almost inconsequential-looking sixteen number. Just a reminder that it is far from the whole story.

A useful innovation discussed in this year's report is the series of "spot checks" that the Commissioner has begun conducting on the larger set of private communications intercepted during CSE's Mandate A operations. These reviews cover all private communications "intercepted and recognized", not just those used or retained—but only those intercepted by CSE itself under its Mandate A. This year's spot checks covered the periods of 1 April 2014 to 20 June 2014 and 1 September 2014 to 15 October 2014, which together comprise 126 days, or 34.5% of the year.

Unfortunately, the Commissioner doesn't tell us how many Canadian private communications were intercepted and recognized during these review periods. This limits the reassurance value of his report.

I suspect that he would have been quite happy to publish this number, which would provide at least some, albeit partial, basis for assessing the scale at which CSE examines Canadian communications. Most probably CSE refused to declassify the figure. Elsewhere in his report, the Commissioner works hard to emphasize that the Minister of National Defence and CSE itself are not allowed to censor his public reporting. This is true, and of very great importance. They can't, for example, prevent him from reporting that CSE failed to comply with the law. But by controlling the power of declassification, they can and do reduce much of the Commissioner's reporting to generalities and often incomprehensibility. This has been an on-going problem for CSE Commissioners.

To their credit, the Commissioners have been gradually increasing the amount of hard information they are able to report, and this year's report contains some valuable new numbers (see below)—which also serve as important evidence that 16 private communications is far from the whole truth of CSE's interactions with Canadians.

Disclosures of Canadian Identity Information

When CSE issues a report that refers to a Canadian individual/corporation/organization etc. in some way, it "suppresses" the information that identifies that Canadian, replacing it with an expression such as "a named Canadian". CSE's customers can request this Canadian Identity Information (CII), however, and CSE will provide it if it assesses that the request is appropriate. (The RCMP might wish to know the actual name or contact information of a Canadian planning to import large quantities of illegal drugs, for example.)

This year, the Commissioner was able, for the first time, to provide statistics on the number of requests for CII made by Government of Canada clients during a portion of the year under review.

According to the report, CSE received 710 requests from Canadian government clients over a six-month period, or about 3.9 requests per day, for CII related to its Mandate A and Mandate B reporting, with the number of actual identities requested being even greater (a single request can involve multiple identities). This suggests that probably something on the order of 1500 requests were made during the entire year.

Not reported, unfortunately, was the percentage of times suppressed CII was requested or the percentage of times CSE acceded to those requests and provided the information sought. The report does state that some requests were refused, however.

Thinking about this in a back-of-the-envelope kind of way, the "sweet spot" to shoot for, it seems to me, would be a low request rate (CII requests in no more than say 10% of cases and possibly much lower than that) in combination with a high (say 90-95%) approval rate. A high approval rate would be desirable (when combined with a low request rate) because it would suggest that CSE's clients understand the rules surrounding the information and request it only when it is reasonably clear that they need it. A less than 100% approval rate, on the other hand, would also be desirable as it would suggest that approval is not granted as a matter of routine but is actually considered on a case-by-case basis.

By contrast, a high request rate combined with a high approval rate would suggest that the suppression of Canadian Identity Information in the original reports is more pro forma than a real privacy protection measure. A low approval rate would suggest, on the other hand, that CSE's clients are consistently seeking information about Canadians for which they have no justifiable need and/or that CSE's rules for access are incomprehensible or arbitrary and that its clients have no clear idea what sorts of requests may be approved.

Perhaps the Commissioner can provide some data on request and approval rates in future reports to help Canadians judge these possibilities for themselves.

It would also be helpful to know a bit more about the approval system itself in order to draw firm conclusions about its usefulness. Is it little more than a series of check boxes on an electronic form asking the requester to affirm that the identity information sought is essential to a full understanding of the intelligence in question and that such intelligence falls within the mandate of the agency requesting it? Do refusals only happen when some clown can't be bothered to read the form carefully enough to check the right boxes? A high but not perfect approval rate under those circumstances would not be much to celebrate. It would be nice if we had some basis for judging between these possibilities.

Getting back to the data that the Commissioner did provide, an annual rate of 1500 or so requests for Canadian Identity Information—which could imply (and here I'm guessing wildly) a grand total of something like 15,000 reports containing CII—presents a considerably different picture than that evoked by the Commissioner's affirmation that only 16 private communications were featured in reports in the same general timeframe.

The two measures address different things, of course. As noted above, CSE has access to many more Canadian communications than just those that it intercepts itself during Mandate A operations. More importantly, many of the references to Canadian identities that appear in CSE's reports are likely to have originated in communications that did not themselves involve Canadians. A foreign diplomatic communication might report, for example, that "named Canadian corporation" produces a particular kind of widget that would be useful for that country's prohibited ballistic missile program and that it might be possible to acquire these items through a front company based in the Bahamas. Few people would object to CSE reporting on such a communication, or to CSIS or the RCMP requesting the actual name of the company in order to prevent illicit technology transfers.

Still, the possibility that many thousands of CSE reports refer to Canadians every year, and that in hundreds of those cases the identities and other related information concerning those Canadians is ultimately released to other government agencies, highlights the extent to which CSE's activities really do impinge on or overlap with the personal lives of Canadians.

The Commissioner also reported that an unspecified number of requests for Canadian Identity Information were made by Canada's SIGINT allies (U.S., U.K., Australia, and New Zealand) during the year—and that approximately half of those requests were denied.
Such a large percentage of denials would seem to indicate that CSE places a high priority on protecting Canadian privacy in such exchanges. However, as I suggested above, it might also indicate that the Second Parties have been seeking Canadian information for which they have no justifiable need and/or that they do not understand the rules that govern access to Canadian information. Either explanation is cause for some concern.

The Commissioner also recorded that "Six requests were made for disclosure of Canadian identity information to non-Five Eyes recipients. Five of these requests were made by a Government of Canada client and one was made by a Second Party partner. None were denied."

Since 2011, CSE has been obliged to conduct a "mistreatment risk assessment" before permitting the disclosure of Canadian identity information to non-Five Eyes recipients. I fervently hope but can't say I'm at all confident that this process is considerably more rigorous than the one that governs Canadian arms sales to countries such as Saudi Arabia. The Commissioner's report notes that he reviewed "some of the corresponding mistreatment risk assessments", but it doesn't say what he made of them.

One wonders why certain Five Eyes countries that have been known to conduct extra-judicial executions, cross-border kidnapping, detention without trial, and "enhanced interrogation" are not also subject to such assessments. One might even consider it a legal obligation to perform such due diligence under certain international conventions to which Canada is a party.

Another NDA amendment recommended

Another important bit of news in the 2014-15 report is that the Commissioner has added an additional item to his list of recommended amendments to the section of the National Defence Act that spells out CSE's mandate and powers.

Successive Commissioners have recommended that clarifying amendments be made to the NDA since shortly after the CSE-related sections were passed in 2001. The Commissioners have sought amendments related to the nature of the Ministerial Authorizations that govern the interception of private communications, the definition of the terms "intercept" and "interception", and other aspects of the law.

In 2007, the Harper government promised to proceed with amendments addressing these issues, but in fact it did nothing on any of them.

The Commissioner's new recommendation concerns the rules governing CSE's IT Security activities:

The National Defence Act was modified by the Anti-Terrorism Act in 2001 to, among other things, legislate CSE as well as its activities. Regarding IT security ministerial authorizations, it was established that the Minister of National Defence could authorize CSE to intercept private communications for the sole purpose of protecting Government of Canada computer systems or networks from mischief, unauthorized use or interference, in the circumstances specified in paragraph 184(2)(c) of the Criminal Code.

Subsection 184(1) of the Code establishes the offence of intercepting a private communication and subsection 184(2) sets out circumstances where the interception is not an offence. Paragraph 184(2)(c) applies to persons engaged in providing a telephone, telegraph or other communication service to the public who intercept private communications while providing the service.

I believe subsection 273.65(3) of the National Defence Act does not accurately reflect CSE’s activities because CSE undertakes activities beyond those considered in “the circumstances specified in paragraph 184(2)(c) of the Criminal Code.” I therefore recommended that subsection 273.65(3) of the National Defence Act be amended as soon as practicable to remove any ambiguities respecting CSE’s authority to conduct IT security activities that risk the interception of private communications.

According to the Commissioner's report, this new recommendation was also accepted by the Harper government, although we will never know how sincere that acceptance may have been.

More importantly, the current government's Minister of National Defence has announced his support for the recommendations in this year's report, including the recommendation to amend the NDA.

[Update 22 February 2016: Subsequent to the writing of this report, as noted in the press release that accompanied it, the Commissioner also recommended another amendment to the NDA, "to provide a clear framework for CSE's metadata activities." The release also states that "The Commissioner received a reply to his letter to the Minister of National Defence and the Attorney General of Canada and is pleased that they have accepted his recommendations related to metadata."]

If the government lives up to its commitments concerning these amendments—and takes the opportunity to enact the other recommended amendments as well—we may finally see the end of the legal interpretation issues concerning CSE's mandate that, in the words of one Commissioner, "have bedevilled this office since December 2001."

Because it's 2016, and about time.

Commissioner's mandate and privacy

And while we're on the subject of amendments to the NDA, let's talk about the CSE Commissioner's mandate to promote privacy.

Successive Commissioners have made privacy protection an important part of their activities, but as far as I can see the only basis for that in legislation is their mandate to assess compliance with the law, which enables them to assess compliance with, for example, the privacy protections provided to Canadians in the Charter of Rights and Freedoms.

The privacy protections that exist in law (to the extent that jurisprudence has made them clear) do provide a minimum level of protection—a floor—beneath which CSE must not be permitted to sink.

But it seems to me that Canadians could also benefit from having an active advocate for greater and continuously updated protections—a constant effort to raise the ceiling—so as to adapt to changing technology and circumstances.

Commissioners do seem to have tried to push the envelope on privacy questions. The current Commissioner describes his mandate as not only to assess compliance with the law, but also "to promote the development and effective application of satisfactory measures to protect the privacy of Canadians in all the operational activities CSE undertakes."

Wouldn't it be great if the government wrote this mission explicitly into the NDA when it proceeds with those other amendments?

CFIOG Cyber Support Detachments

On a totally different topic, one of the more interesting reviews conducted by the Commissioner during the past year was an examination of the SIGINT activities of the Canadian Forces Information Operations Group (CFIOG) Cyber Support Detachments.

These small military units, formerly known as SIGINT Support Elements, are located at major headquarters in Halifax, Victoria, Winnipeg, and presumably Ottawa.

CFIOG Cyber Support Detachments act as the go-between to provide CSE reports on foreign signals intelligence to clients within the [Canadian Armed Forces (CAF)]. The CFIOG Cyber Support Detachments provide foreign signals intelligence support to select CAF commanders for a spectrum of activities, ranging from planning to direct support to combat operations. The Detachments are not involved in either the collection of foreign signals intelligence or the production of related reports; they primarily provide situational awareness to their respective intelligence and operational staff.

The Commissioner's review "concluded that the Cyber Support Detachment activities conducted under the authority of Part V.1 of the National Defence Act were in compliance with the law, ministerial direction, and CSE policies and procedures." No recommendations were made for changes in any CSD activitities. Nothing too interesting there.

What was more interesting about the review was that it featured another challenge to the CSE Commissioner's authority to review what he sees fit:

At the outset, my authority under the National Defence Act to review the CFIOG-controlled Cyber Support Detachments was questioned. After a six-month delay and many discussions between my office, CSE and the CAF, I exercised my authority and was provided direct access to Detachment staff and premises to ensure that their foreign signals intelligence activities conducted under Part V.1 of the National Defence Act complied with the law, ministerial direction, and CSE policy and procedures.

Now this is what I like to see!

Last year, it was CSE arguing that the Commissioner had no authority to examine the protection of information shared with the Second Parties, other years it has been other things, and my question has always been, why doesn't the Commissioner just point to his powers under the National Defence Act and start kicking ass and taking names? It is written right into the NDA: he has the power to investigate anything he sees as relevant to his mandate.

This time, the report says, he "exercised [his] authority".

That may just be a dramatic way of saying he managed to negotiate permission to go in, but it sounds more like he swung the hammer around a little bit first.

More of this please!

Also of interest: the Commissioner's report notes that the SIGINT reports accessed by the CSDs

may contain Canadian identity information that has been suppressed, that is, replaced by a generic reference such as “a named Canadian.” In the event that there would be a request for the disclosure of suppressed information, the Detachments would follow an established process and pass the request to CSE for action. To date, however, there has never been a request for the disclosure of suppressed Canadian identity information [through the CSDs].

At least somebody's minding their own business!

But it does leave me wondering how the SIGINT system's support to search and rescue operations fits in. SIGINT radio direction-finding stations are often used to help pinpoint the location of aircraft and ships in distress and to relay information about the occupants to the Rescue Coordination Centre.

Does such information not pass through the CSDs?

Maybe it's just that identity information is not suppressed in the first place in emergency situations where it may be necessary to help save lives, so the question of requesting its disclosure under such circumstances doesn't arise.

There is more to discuss in the 2014-15 report, but that's all I'm going to write about for now. More to come in a later installment!